Cyber Brief: NCSC Surge, Windows 10, SonicWall and Android Risks

Cyber threats continue to evolve at pace — and today’s stories highlight why proactive patching, infrastructure monitoring, and secure authentication remain at the heart of resilience. In this edition, we examine critical vulnerabilities, end-of-life systems, and a steep rise in UK-reported incidents.

NCSC warns of surge in high-severity incidents across UK sectors

The National Cyber Security Centre (NCSC) has revealed that it handled more than 400 cyber incidents over the past year — with 18 classified as “highly significant”. The spike includes ransomware operations against local government, healthcare, and financial organisations, many traced to organised criminal groups using commodity malware and credential reuse to breach defences.

The NCSC emphasised the importance of layered security controls, urging UK businesses to adopt regular testing, MFA enforcement, and threat-intelligence-led improvements. It also highlighted the ongoing need for board-level visibility into cyber risk as part of wider operational resilience planning.

Why it matters: An incident may not always make headlines, but the threat volume is climbing. For SMEs and regulated entities, continuous monitoring, staff awareness, and validation testing are essential to prevent an attack from escalating into a business-wide outage.
Source: NCSC Annual Report

Windows 10 reaches end of support as millions remain unpatched

Microsoft officially ended mainstream support for Windows 10 on 14 October 2025. Despite years of notice, millions of devices remain in use across small businesses, schools, and government supply chains. Without new updates, those systems will no longer receive critical security patches, leaving them vulnerable to exploitation.

Attackers frequently scan for unpatched or legacy systems as easy entry points. Organisations that depend on Windows 10-based applications must either migrate to Windows 11 or use extended-security-update programmes to maintain protection temporarily.

Why it matters: Unsupported operating systems represent a permanent hole in your defence. Any device left running Windows 10 should be isolated, replaced, or covered by a defined migration plan to avoid becoming the weakest link in your environment.
Source: Microsoft Security Response Center

SonicWall breach exposes VPN credentials and backup data

SonicWall has confirmed a security incident involving unauthorised access to encrypted backup files and a limited number of customer VPN credentials. Investigation teams reported that approximately 100 SSLVPN accounts were affected after attackers exploited compromised passwords to reach internal systems.

The company has rotated credentials, issued updated guidance to customers, and recommended that all organisations review remote-access configurations for potential exposure. The event underscores how even well-known vendors can be used as stepping stones in multi-stage attacks.

Why it matters: VPNs remain a favourite target for threat actors seeking privileged network access. Reviewing credential hygiene, enforcing MFA for administrative accounts, and monitoring for anomalous logins are simple but high-impact steps toward stronger remote-access security.
Source: SonicWall Security Advisory

Android ‘Pixnapping’ attack bypasses screen-capture protections

Security researchers have identified a new Android exploitation technique, dubbed “Pixnapping”, which allows malicious applications to record on-screen content — including 2FA codes, messages, or sensitive data — without user consent. The method abuses accessibility and overlay permissions that are often granted by default.

Google has confirmed it is testing mitigations for future Android releases. Meanwhile, users and businesses should treat app-permission requests with caution and consider using mobile-device-management (MDM) controls to restrict app installation across managed devices.

Why it matters: Mobile devices are central to corporate authentication. If threat actors can intercept what appears on screen, even multi-factor authentication may be compromised. Reviewing mobile-security policies is essential to prevent credential theft via unmanaged or personal phones.
Source: Independent Security Research (Pixnapping disclosure)

🔍 Today’s Key Actions

1. Conduct a patch and system-inventory review, prioritising unsupported software such as Windows 10.
2. Enforce strong MFA and credential rotation on all VPN and remote-access solutions.
3. Review mobile-device-management policies — restrict high-risk permissions and third-party app installs.
4. Revisit incident-response playbooks to ensure reporting paths and escalation are current.
5. Brief leadership teams using NCSC’s report as evidence for resource allocation and testing schedules.

💬 Secarma Insight

Every patch left unapplied and every outdated platform maintained is an opportunity for attackers. Secarma’s ACT Framework — Advise, Certify, Test — helps organisations close those gaps before they’re exploited. From system hardening to penetration testing and certification readiness, our consultants build resilience that lasts.